A Tangled Curl: Attacks on the Curl-P Hash Function Leading to Signature Forgeries in the IOTA Signature Scheme

The presentation discusses a vulnerability in the IOTA cryptocurrency's hash function, curl p27, which allowed for chosen message signature forgery attacks. The vulnerability was caused by the simplicity of the transform function in curl p27.

• The vulnerability allowed for chosen message signature forgery attacks in both multi-sig and non multi-sig scenarios
• The vulnerability was caused by the simplicity of the transform function in curl p27
• The attack was performed by creating colliding bundles and changing the tag field to rerun the attack
• The vulnerability was disclosed to IOTA developers and fixed by replacing curl in signature generation with a hash function called curl put curl with a K
• The presentation highlights the importance of not creating one's own hash functions and the limitations of small S boxes in cryptography

The presenters demonstrated the attack by creating colliding bundles and changing the tag field to rerun the attack. They were able to find the first collision in about three seconds using 80 cores and the second collision in about 23 seconds on average on 80 cores. The attack allowed for the creation of colliding bundles, which resulted in different values being assigned to different parties in the transaction. The vulnerability was disclosed to IOTA developers and fixed by replacing curl in signature generation with a hash function called curl put curl with a K.

Our talk presents attacks on the cryptography used in the cryptocurrency IOTA, which is currently the 10th largest cryptocurrency with a market capitalization of 2.8 billion USD. IOTA is billed as a next generation blockchain for the Internet of Things (IoT) and claims partnerships with major companies in the IoT space such as Volkswagen and Bosch.We developed practical differential cryptanalysis attacks on IOTA's cryptographic hash function Curl-P, allowing us to quickly generate short colliding messages of the same length. Exploiting these weaknesses in Curl-P, we break the EU-CMA security of the IOTA signature scheme. Finally, we show that in a chosen message setting we can forge signatures on valid IOTA payments. We present and demonstrate a practical attack (achievable in a few minutes) whereby an attacker could forge a signature on an IOTA payment, and potentially use this forged signature to steal funds from another IOTA user.After we disclosed our attacks to the IOTA project, they patched the vulnerabilities presented in our research. However, Curl-P is still used in other parts of IOTA.